Departmental IT Security Baseline

diagram of security layers
Download the IT Security Baseline Brochure

Table of Contents:

  1. Purpose
  2. Policy and Awareness
  3. Access Control
  4. Physical Security
  5. Network
  6. Servers
  7. Workstations
  8. Application Development Security
  9. Supporting Processes
  10. Print Version (PDF)

PURPOSE

The purpose of the IT security baseline is to:

  • assess the current security practices of IT departments across campus
  • identify tasks for departments to meet security standards set by the IT Security department
  • implement the capability to monitor security metrics.

The IT security practice is intended to inform each unit of the necessary actions required to ensure that practical, basic security measures have been implemented that reduce the risk of unauthorized access to IT resources and data. The baseline requirements are intended to create a minimally acceptable security standard for all the IT departments on campus. The baseline will not ensure compliance with any particular federal or industry security standard (e.g., PCI-DSS, HIPAA, FERPA, FISMA). IT Security and Internal Audit will work with information technology units to implement a common set of IT practices that report results through IT Securitymonitored mechanisms and accomplish the following goals.

  • Implement a common set of tools, processes, and procedures to reduce the risk of unauthorized access to information systems.
  • Implement a common set of procedures so that intrusions are quickly detected and appropriate personnel are alerted in a timely manner.
  • Monitor and verify security metrics to ensure units are operating at the minimally acceptable security baseline.

IT Security will work with departments to provide adequate training and tools on an as needed basis. An information security awareness program will be implemented to reinforce information security principals to departmental staff.

POLICY AND AWARENESS

  • Assign a departmental security contact to:
    • Be responsible for departmental IT security
    • Act as point of contact with IT Security
    • Monitor and review log information in the IT Security SEM.
  • The UW-Madison Information Incident Reporting and Response policy and procedure must be followed to ensure timely and effective handling of all situations.
  • The UW-Madison Electronic Devices is adhered to at all times
  • Media or devices that may contain sensitive information must be adequately obfuscated, erased, destroyed or otherwise rendered unusable before disposal or reuse for another purpose per the UW-Madison Media and Device Disposal and Reuse Policy.
  • The UW-Madison Responsible Use of Information Technology Policy must be adhered to at all times.
  • All server and workstation images must be audited using the Center for Internet Security compliance assessment tool. The Center for Internet Security templates will be used as a baseline for comparing the department’s operating system security settings to a set of federal security standards and provide a report.

IT SECURITY REQUIREMENTS

ACCESS CONTROL

  • All passwords must conform to the campus minimum password standards.
  • Verify user’s identities before performing password resets.
  • A process must be in place to deactivate user accounts under emergency circumstances such as termination, compromise, or infection.
  • Inactive user accounts are disabled after 90 calendar days.
  • User ID’s are locked out for 15 minutes after six invalid authentication attempts.
  • Users do not have local administrative privileges unless an exception is made by the department head, documented and reviewed annually.
  • Administrative account passwords (e.g., root or enterprise domain admin accounts) are stored in a secure repository.
  • All workstations must initiate a screen lock after 15 minutes of inactivity.
  • Privileged access to administrative systems needs to be documented and reviewed annually.
  • Vendor access must be approved and monitored.
  • Service accounts are used for internal application and database operations.
  • Secure administrative interfaces for applications and devices.
    • Default passwords must be changed upon first usage.
    • Change default ports if possible.
    • Deny access to administrative interfaces from the public Internet unless encrypted.
  • System Administrators do not use Administrative accounts for general purpose computing.
  • First-time passwords are set to a unique value for each user, and must be immediately changed upon first use.
  • Reset passwords are set to a unique value for each user, and must be immediately changed upon first use.

PHYSICAL SECURITY

  • System backup media must be stored in a secure location or encrypted.
  • Access to network jacks in public areas requires authentication.
  • Servers are kept in a locked room.

NETWORK

  • Protect networked devices with firewall(s)
    • Only personnel who have successfully completed the DoIT firewall training class can manage campus firewalls.
    • Firewalls must restrict inbound connections to systems of interest.
    • Firewalls send logs to the campus Security Event Management (SEM) system.
  • Firewall rule changes must be documented and tracked.
  • The departmental security contact is responsible for ensuring firewall rules are audited annually.
  • The departmental security contact is responsible for ensuring an external vulnerability scans against network resources are performed every six months.
    • Results must be reviewed by the departmental security contact.
    • All vulnerabilities must be remediated within 30 calendar days.
  • The departmental security contact is responsible for ensuring internal vulnerability scans against network resources are performed every six months.
    • Results must be reviewed by the departmental security contact.
    • All vulnerabilities must be remediated within 30 calendar days.
  • All wireless access points must be managed and inventoried by the IT department.
  • The departmental security contact must monitor and respond to alerts received from the IT Security Security Event Monitoring system or the IT Security boarder Intrusion Detection Systems.

SERVERS

  • All servers must be managed using an endpoint management suite (e.g., Microsoft SCCM, Altiris, and TEM).
    • All servers must run a supported operating system.
    • All server operating systems must have critical and security patches applied within 30 calendar days of release.
  • Secunia: Corporate Software Inspector must be installed on all supported servers, and report results centrally.
    • The vendor must support all production applications, and end-of-life applications must be removed.
    • All critical and security patches for all applications must be installed within 30 calendar days of release.
    • The departmental security contact must monitor and review Secunia results.
  • All servers must run an IT Security approved antivirus protection tool (e.g., Symantec Endpoint Protection or Microsoft Forefront managed by SCCM) that can:
    • Receive updates daily
    • Perform daily lightweight scans
    • Perform a full weekly scan
    • Report results centrally
    • Notify IT staff if malware is found.
    • The departmental security contact must review alerts and ensure remediation of malicious content within three business days.
  • Disable all unnecessary services before server goes online.
  • Servers hosting email services must not provide open relay services.
  • Host-based firewalls must be installed on all servers.
    • Host-based firewalls must restrict inbound connections to ports of interest.
    • Host-based firewalls send logs to the IT Security SEM.
    • The departmental security contact must review rules and exceptions annually.
  • Configure access logs, security logs, DHCP logs, DNS logs, and firewall logs to report to the IT Security SEM.
  • Identity Finder must be installed or run on all servers.
    • All servers must be scanned every 30 calendar days for restricted data.
    • Identity Finder must be configured to check for updates daily.
    • Identity Finder must be configured to report centrally.
    • The departmental security contact must review results and follow-up on exceptions.

WORKSTATIONS

  • All workstations must be managed using an endpoint management suite (e.g., Microsoft SCCM, Altiris, and TEM).
    • All workstations must run an operating system that is supported by the vendor.
    • All workstation operating systems must have critical and security patches applied within 30 calendar days of release.
  • Secunia: Corporate Software Inspector must be installed on all workstations, and report results centrally.
    • The vendor must support all production applications, and end-of-life applications must be removed.
    • All critical and security patches for all applications must be installed within 30 calendar days of release.
    • The departmental security contact must monitor and review Secunia results.
  • All workstations must run an IT Security approved antivirus protection tool (e.g., Symantec Endpoint Protection or Microsoft Forefront managed by SCCM) that can:
    • Receive updates daily,
    • Perform daily lightweight scans,
    • Perform a full weekly scan,
    • Report results centrally,
    • Notify IT staff if malicious content is found.
    • The departmental security contact must review alerts and ensure remediation of malicious content within three business days.
  • Host-based firewalls must be installed on all workstations.
    • Host-based firewalls must restrict inbound connections to ports of interest.
    • Host-based firewalls must record logs locally.
    • Host-based firewalls must be managed centrally
    • The departmental security contact must review rules and exceptions annually.
  • Identity Finder must be installed on all workstations.
    • All workstations must be scanned every 30 calendar days for restricted data.
    • Identity Finder must be configured to check for updates daily.
    • Identity Finder must be configured to report centrally.
    • The departmental security contact must review results and follow-up on exceptions.

APPLICATION DEVELOPMENT SECURITY

In addition to the server requirements above, custom web application servers must meet the following security requirements:

  • Inventory all applications centrally
  • Inventory all databases centrally
  • Web logs, access logs, and security logs must report to the IT Security SEM.
  • Validate data input from any and all untrusted sources – including cookies, URL Parameters, Form Fields, HTTP Headers, as well as inputs from external systems.
  • Require SSL for all sensitive pages. Non-SSL request to these pages should be redirected to the SSL page.
  • Applications accepting passwords must use an extended validation SSL certificate.
  • Backend and other connections should also use SSL or other encryption technologies
  • Ensure your certificate is valid, not expired, not revoked, and matches all domains used by the site.
  • Set the ‘secure’ flag on all sensitive cookies
  • An inventory of active certificates must be maintained.
  • IBM AppScan will be used to scan custom applications using the Open Web Application Security Project Top 10 as a template.
  • Vulnerability scans of applications in development must take place prior to an application moving to production.
  • Vulnerability scans of applications in production must take place every six months.
  • Vulnerabilities identified using the OWASP Top 10 as a template must be remediated.
  • All supported Databases must be scanned using the MacAfee Vulnerability Manager for Databases for the following:
    • Up to date version and patch levels of database software
    • Changes to objects within the database by parties other than the assigned administrator or specified system processes.
    • Unauthorized modification of privileges (privilege escalation).
    • Forensic traces from the use of common hacker tools.
    • Identify tables containing restricted data such as formatted Social Security Numbers (SSNs).
    • Detection of weak passwords and shared passwords, including hashed passwords.
  • Scans of database services in development must take place prior to an application moving to production.
  • Scans of database services in production must take place every six months.

SUPPORTING PROCESSES

  • Identify a departmental security contact.
  • Inventory process for tracking additions and removal of IT assets including servers, workstations, printers, firewalls, and other network devices.
  • Inventory process for tracking custom applications, purchased software, and databases.
  • Inventory of publicly accessible network jacks.
  • Change management process for tracking changes to firewalls, servers, workstations, printers, and other network devices.
  • Change management processes for tracking changes to custom applications and databases.
  • Patch management strategies for servers and workstations.
  • Patch management strategies for custom applications and purchased software.
  • Backup media storage and disposal processes.
  • System Account/role/membership audit process.
  • Processes for maintaining and updating continuity of operations plans.